164b6821f55fae80677b36357595a6fd8bb1b79cdcc4d716554b6519918cd69a

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 04:58

Target

164b6821f55fae80677b36357595a6fd8bb1b79cdcc4d716554b6519918cd69a.dll
Size

626KB
MD5

698a0bf581c55c53095b2fcfd6b86b50
SHA1

4dc8c488e6286c03b7d2f2dedcc5bf102bd4b5a6
SHA256

164b6821f55fae80677b36357595a6fd8bb1b79cdcc4d716554b6519918cd69a
SHA512

125bc8eaa9fc7d5030a5d07526b508177aae5d4cdcc3393bfcbf3028699918210edd22b9898735271cea73cd19e6be79168e84c63d46e29998766fe55552153a
SSDEEP

12288:9pIuabLJfSRlbHQjnAJqblY7uH1ETAzKALZiaprT6kx:ilfSv7eCfW1aAGALZiapdx

Score

8^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
4064	rundll32mgr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000c000000022e15-134.dat	upx
behavioral2/files/0x000c000000022e15-135.dat	upx
behavioral2/memory/4064-136-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4948	4064	WerFault.exe	83

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1344	1816	rundll32.exe	82
PID 1816 wrote to memory of 1344	1816	rundll32.exe	82
PID 1816 wrote to memory of 1344	1816	rundll32.exe	82
PID 1344 wrote to memory of 4064	1344	rundll32.exe	83
PID 1344 wrote to memory of 4064	1344	rundll32.exe	83
PID 1344 wrote to memory of 4064	1344	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\164b6821f55fae80677b36357595a6fd8bb1b79cdcc4d716554b6519918cd69a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\164b6821f55fae80677b36357595a6fd8bb1b79cdcc4d716554b6519918cd69a.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    PID:4064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 260
      4⤵
      Program crash
      PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4064 -ip 4064
1⤵
PID:4116

C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
39ba7f790512d1af40cc864189175cb7

SHA1
da5f35bed908b1a0d08b7639d76cf2d711789e29

SHA256
b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

SHA512
0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
103KB

MD5
39ba7f790512d1af40cc864189175cb7

SHA1
da5f35bed908b1a0d08b7639d76cf2d711789e29

SHA256
b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

SHA512
0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

Download Submit
memory/4064-136-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download